Archive for July 2016

Official Black Hat USA App Allows Spying, Attendee Impersonation

Ah, the irony: As the security community gears up for Black Hat USA 2016, a flaw in the official conference app enables attackers to become anyone or spy on attendees.

Conference attendees can install the app on their mobile devices to browse the conference’s agenda, get exhibitor info, message attendees, schedule events they will attend and participate in a conference-wide Twitter-like activity feed. According to Lookout Security, a flaw opens the door to attendee impersonation—so users should be cautious of any activity or messages that are posted or received within the app.

“While investigating both the iOS and Android versions of the Black Hat USA 2016 app, we discovered that a user could register using any email address they want (as long as it hasn’t already been used to register with the app previously),” explained Lookout researcher Andrew Blaich, in a blog. “This includes any email address, whether or not the person signing up owns the email address. It doesn’t even matter if the email address exists at all.” Further, to log in, the Black Hat app does not require confirmation; the user is immediately logged into the app after typing in any email address.

So, after guessing a registrant’s email address—not hard, considering that corporate email addresses tend to follow a set pattern—an attacker can log in as that person, post messages, and comment on other people’s posts in the app’s Activity Feed that all conference app users can see.

“For example, this means a person can pretend to be from one company, but recommend another company's product, services or conference event,” Blaich said.

But the concerns don’t stop there. Lookout also discovered that if a password reset is issued for an account, any existing devices still logged in under that account will continue to retain access. This means that the real owner of an email address can use the social, scheduling and other features of the app, but so can the attacker—without the real user knowing their account is being spied on.

“An attacker with foresight can register (before the real user does) any name and email address for the attendee they want to track in the app,” Blaich explained. “After doing this, an attacker can have permanent access to the account with that email address, even in cases where the real user resets the account’s password. This is possible because the authentication token does not appear to expire when the account’s password is reset. The attacker has permanent access to the account and can spy on the user and post comments impersonating the victim.”

There’s also a physical security risk: An attacker can spy on a targeted user and determine what their conference schedule will be.

“This vulnerability is a timing-attack, in which the first to register an account wins. You just hope that the first to register is you and not someone pretending to be you,” Blaich said.

Lookout said that it followed responsible disclosure with the creators of the app, UBM and DoubleDutch which said they will close these vulnerabilities prior to the Black Hat USA conference starting.

Russian Hackers May Have Hit the Dems' Donor Site Too

Fresh on the heels of GOP presidential nominee Donald Trump inviting Vladimir Putin to “find” Hillary Clinton’s deleted emails, the FBI has uncovered a cyberattack on the Democratic Congressional Campaign Committee that could be tied to Russia.

The DCCC raises money for Democrats running for seats in the U.S. House of Representatives. As far back as June, the attackers set up a bogus website with a name closely resembling that of a main donation site connected to the DCCC. From there, they proceeded to harvest data as visitors provided their information (including names and email addresses) and credit-card info to donate.

Over the weekend, just as the Democratic National Convention started up in Philadelphia, Wikileaks began publishing emails purportedly coming from DNC officials; more than 19,000 of them, in a searchable database. The missives show a distinct bias within the DNC for presumptive Democratic nominee Hillary Clinton over her main rival in the primaries, Senator Bernie Sanders of Vermont.

Some believe that the hack is an attempt by the Russian government to sway the US election in favor of Republican candidate Donald Trump, who told the New York Times that the US wouldn't defend NATO allies against Russia unless those states have "fulfilled their obligation to us."

"I have concerns that an agency of foreign intelligence is hacking and interfering with a U.S. election," Clinton campaign chairman John Podesta told Reuters. He added that he had not seen news of the DCCC attack.

Trump went on to make headlines after a press conference in which he pooh-poohed the theory, saying, “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing. I think you will probably be rewarded mightily by our press.”

He was referring to the Democratic nominee’s controversial email practices when she was Secretary of State, and later said that the remark was sarcastic.

Chinese Hackers Attack Airports Across Vietnam

A group identifying as Chinese hackers has attacked digital signage screens, overhead announcement systems and airline systems at airports across Vietnam.

The country’s Deputy Minister of Transport, Nguyen Nhat, confirmed that flight information screens at both Noi Bai International Airport in Hanoi and Tan Son Nhat International Airport in Ho Chi Minh City have been compromised to display offensive messages toward Vietnam and the Philippines, along with “distorted information about the East Vietnam Sea.” At the latter airport, the loudspeaker system was also compromised to blare out offensive messages in English.

The Da Nang International Airport, the largest in central Vietnam, did not have its announcement system compromised, but the computer system experienced repeated glitches. And further, airlines at 21 airports across Vietnam have had to switch to manual processes to complete check-in procedures for passengers. Some airlines shut down some check-in counters completely—leading to flight delays.

“All Internet systems have been switched off so we had to do everything by hand,” an airline attendant at Tan Son Nhat airport told a local news outlet.

The VIP passenger section on the website of Vietnam Airlines was also hacked and defaced, and one source told the news outlet that personal data of some 411,000 passengers had been lifted as well.

The perpetrators are claiming credit as the China 1937CN Team. The widespread campaign is “a warning message” for Vietnam and the Philippines, they said.

In May 2015, some 1,000 Vietnamese websites were attacked by the same group, including 15 government-run platforms and 50 education sites. Around 200 websites in the Philippines were also attacked in the same period, between May 30 and 31, 2015.

Most Brits Don’t Want Snoopers’ Charter – Report

The British public has given a resounding thumbs down to the controversial Investigatory Powers Bill (IPB) working its way through parliament, with over three-quarters (76%) concerned it will green light increased government snooping powers, according to new research.

The findings come from a new survey commissioned by digital cert security firm Venafi to accompany a new report, titled: Government Powers and the End of Corporate Control Over Privacy: A United Kingdom Perspective.

The survey found two-thirds (65%) of UK citizens don’t trust the government with their data, and even more (69%) reckon it abuses its power to access that data.

In addition, 70% think the government will abuse any new snooping powers it might get under the IPB, and the same percentage are against forcing companies like Apple to engineer deliberate backdoors into their products for law enforcement.

It’s a pretty unambiguous stance from the British public, yet the IPB looks set to sail through a parliament distracted by the aftermath of the Brexit vote.

The once chance rights groups might have to water down the bill’s proposals if the government decides it’s in Britain’s best interests to mirror EU data protection law in a bid to ease future trade talks with Europe.

If that’s the case then it would have to tone down parts of the bill that seek to enshrine the practice of bulk surveillance in law – the very thing which caused the tearing up of the old Safe Harbor agreement between the US and EU.

Despite the UK public’s suspicion of the government, the vast majority (69%) still believe that the US government has more far-reaching powers to access citizens’ data than its British counterpart.

However, according to the Venafi report, the opposite is true, with the current RIPA law meaning law enforcers can force individuals – including CEOs of firms that hold data – to hand over data without the need for a judicial order.

This law – parts of which are being incorporated into the new Snoopers’ Charter – could also theoretically allow the authorities to force tech providers to create backdoors in their products, according to Venafi.

As if to underscore the dangers of granting the authorities greater snooping powers, a recent Big Brother Watch FoI-based report claimed UK police have suffered over 2300 breaches over the past four years.

More worryingly, these breaches were a result of insiders – i.e. police and police staff – abusing their privileged position.

Venafi argued that given the current track the government is on, businesses should be prepared to hand over cryptographic keys and certificates during investigations.

To do this they need to get better at finding where these reside and who ‘owns’ them. Venafi claimed that on average customers find 16500 previously unknown keys and certs.

“Organizations need to know and abide by the law, and keep pace as more key disclosure laws and rulings are introduced in the future,” argued Venafi VP of security strategy, Kevin Bocek.

“This means that IT security teams must find where all keys and certificates live, establish ownership, protect their ongoing lifecycle, and monitor any changes. It is a fiscal responsibility to comply and failure to could have serious consequences for the business, executives, and directors.”

Ransomware Author Leaks Rival’s Decryption Keys

Victims of the Chimera ransomware were thrown a lifeline this week after a rival malware author appeared to leak the decryption keys online.

Spotted by Malwarebytes on Tuesday, the Twitter user @Janussecretary posted a link to a Pastebin document containing the keys and a message.

The user claimed to be the author of the Mischa ransomware, adding:

“Like the analysts already detected, Mischa uses parts of the Chimera source. We are NOT connected to the people behind Chimera. Earlier this year we got access to big parts of their development system, and included parts of Chimera in our project.

Additionally now we release about 3500 decryption keys from Chimera. They are RSA private keys and shown below in HEX format. It should not be difficult for antivirus companies to build a decrypter with this information.”

However, Malwarebytes claimed it would take some time before it could be sure the decryption keys are genuine and to write a decryptor tool with them.

This isn’t the first time that ransomware victims have been rescued by an unlikely source.

In May, Avira researcher Sven Carlsen revealed that someone with access to one of the C&C servers linked to the infamous Locky ransomware had replaced the malware with a 12kb binary with the message ‘Stupid Locky.’

Ransomware continues to cause havoc for consumers and organizations that are struck down.

New stats from Panda Security yesterday claimed that the category dominated the 18 million new malware samples it discovered in the second quarter.

The firm said that over just a three-week period it had blocked 3000 instances of Cerber ransomware which was being spread using Windows Management Instrumentation Command-line (WMIC).

The smart advice is to take a preventative approach, using layered defense at the web and email gateway, endpoint, server and network level. IT admins are also advised to back-up data using a 3-2-1 approach – that is, at least three copies, in two different formats and one copy residing off site.

Ransomware Dominates 18 Million New Q2 Malware Samples

Panda Security detected a staggering 18 million new malware samples in the second quarter, the majority of which were credential stealers and ransomware, it claimed in a new report.

The Spanish security vendor’s PandaLabs Reportfor the quarter revealed an average of 200,000 new threats were detected daily during the period, the majority of which were trojans.

The figure actually dropped from the 227,000 per day spotted in the previous quarter.

PandaLabs technical director, Luis Corrons, explained that the firm didn’t have a breakout of ransomware stats for the period.

However, as an indicator of the scale of the threat facing consumers and businesses he shared some unpublished data with Infosecurity that shows Panda Security has blocked over 3000 infection attempts relating to a single ransomware variant – Cerber – over the past three weeks alone.

That’s data from just one vendor dating back less than a month and relating to just one variant and one very specific attack methodology – in this case using Windows Management Instrumentation Command-line (WMIC) to try and bypass security filters.

The PandaLabs report illustrated the sheer variety of attack methods used by ransomware authors through several examples.

One of the more interesting was that of a Slovenian company which was contacted by Russian cyber-criminals claiming they had already compromised its network and had ransomware primed and ready to execute on all PCs.

“To prove that they had access to the company’s network, the culprits sent a file with a list of all devices connected to the company’s internal network,” the report explained.

This differs from most ransomware attacks, where all corporate data is encrypted first of all and then the victim has a set time period to pay up or lose access to the vital decryption key forever.

The quarter wasn’t all about ransomware, of course, and Panda Security also highlighted a surge in attacks against POS systems – mainly in the US – and banks.

The report also warned of a growing trend towards security breaches in the Internet of Things and mobile devices.

Experts: Rio Travelers to Face Barrage of Security Threats

Security experts have warned travelers to the Rio Olympics and those searching for updates back at the office to exercise extra caution in order to avoid what’s likely to be a barrage of cyber threats.

The Summer Games kick off next Friday and, as always, cyber-criminals will be primed to capitalize on the huge global interest in the event.

“With almost half a million people forecasted to travel to Rio, your physical and cyber safety should be high on your packing list,” said Mandy Huth, director of cyber security for networking company Belden.

“If you are heading to Rio, take a few minutes to review your security hygiene. Good cybersecurity will help you avoid potential cyber-attacks and scams when you see your favorite events.”

She urged travelers to ensure any laptops are protected with full disk encryption to protect any data on them in the event of theft or loss. Another handy tip is to switch on "hibernate" or "shut down" modes as "sleep" mode will not invoke encryption.

Visitors to Rio were also urged not to use any public Wi-Fi networks but instead utilize VPNs or private hot spots.

Other tips include switching on a laptop privacy filter to minimize the risk of shoulder surfing, ensure auto-lock kicks in after a few minutes, and to keep laptops and mobile devices out of sight where possible.

It’s not just those traveling to Brazil that are at risk, however, with Zscaler warning that in the past, a whopping 80% of ‘Olympic’ web domains were actually found to be scams or spam.

Online scams designed to phish personal information or install malware on computers will be rife during the event and can arrive in many forms – from emails to social posts, typosquatting domains, malicious apps and even over-the-phone scams.

Bogus ticketing sites and pages offering free live streaming of events are just two of the likely lures used by cyber-criminals before and during the event.

The one saving grace for IT managers is that few of the tactics used by the black hats are likely to be new, according to the cloud security firm.

“Cyber-criminals will look to play on our anticipation of the Games this year” claimed Zscaler EMEA CISO, Chris Hodson.

“Businesses need to ensure that they are able to identify phishing sites and detect scripts which are running in webpages which could be malicious. Relying on URL filtering and reputation off-site is no longer an appropriate cybersecurity defencse framework. Streaming sites should be enabled on a whitelist-only approach”

He added that firms should be blocking access to third party app stores as a matter of course to further lock down risk.

Osram ‘Smart Light’ Bugs Could Allow Corporate Wi-Fi Access

Security researchers have revealed several major vulnerabilities in Osram Lightify smart lighting systems which could allow remote hackers to launch browser-based attacks and even access corporate networks.

Osram, which sells both Home and Pro products, claims it agreed to testing of its Lightify products by Rapid7.

One of the most serious of the nine vulnerabilities discovered by Rapid7 research lead, Deral Heiland, is a cross-site scripting flaw in the web management interface of the Pro product which could allow an attacker to launch browser-based attacks.

“This vulnerability allows a malicious actor to inject persistent JavaScript and HTML code into various fields within the Pro web management interface. When this data is viewed within the web console, the injected code will execute within the context of the authenticated user,” explained the firm in a blog post.

“As a result, a malicious actor can inject code which could modify the system configuration, exfiltrate or alter stored data, or take control of the product in order to launch browser-based attacks against the authenticated user's workstation.”

Another potentially dangerous vulnerability is CVE-2016-5056, which could allow remote attackers to access corporate wireless networks and from there go on to attack high value resources.

The problem lies with the system’s use of weak default WPA2 pre-shared keys (PSKs) – using only an eight character PSK and only drawing from “0123456789abcdef."

Rapid7 was able to crack the code in less than six hours, and in one case under three hours, gaining access to the cleartext WPA2 PSK.

Heiland claimed the bugs he found show “we need to build better policy around managing the risk and develop processes on how to deploy these technologies in a manner that does not add any unnecessary risk."

Osram explained in a statement sent to Infosecurity that the majority of bugs would be patched in the next version update, planned for August.

It added:

“Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in Osram’s area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.”

Thomas Fischer, global security advocate at Digital Guardian, argued that IoT devices are often produced with “simplified hardware” which keep costs down but also means they “lack basic principals of integrity and failover.”

“Companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there's a much higher chance mistakes will be made and vulnerabilities missed,” he added.

“It is critical that organizations developing IoT technologies – and even those selling them – ensure these products have been developed, built and sold with security in mind.”

Ponemon: Cloud Adoption Grows as Security Lags

Cloud adoption is growing, but companies aren’t taking security into account the way they should. A fresh Ponemon Institute survey shows that many businesses simply aren’t adopting appropriate governance and security measures to protect sensitive data in the cloud.

The results show that 73% of respondents deem cloud-based services and platforms important to their organization’s operations, and 81% said they will be more so over the next two years. And in fact, 36% of respondents said their companies’ total IT and data processing needs were met using cloud resources today (a number that will increase to 45% over the next two years).

Yet, 54% of respondents said their companies do not have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments. More than half say their organizations are not careful about sharing sensitive information in the cloud with third parties such as business partners, contractors and vendors.

“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” said Larry Ponemon, chairman and founder, Ponemon Institute. “To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.”

The challenges are myriad: For one, difficulty in controlling or restricting end-user access increased from 48% in 2014 to 53% of respondents in 2016. The other major challenges that make security difficult include the inability to apply conventional information security in cloud environments (70% of respondents) and the inability to directly inspect cloud providers for security compliance (69% of respondents). There’s also the shadow IT issue: nearly half (49%) of cloud services are deployed by departments other than corporate IT, and an average of 47% of corporate data stored in cloud environments is not managed or controlled by the IT department.

“Organizations have embraced the cloud with its benefits of cost and flexibility but they are still struggling with maintaining control of their data and compliance in virtual environments,” said Jason Hart, vice president and CTO for data protection at Gemalto, which sponsored the report. “It’s quite obvious security measures are not keeping pace, because the cloud challenges traditional approaches of protecting data when it was just stored on the network. It is an issue that can only be solved with a data-centric approach in which IT organizations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely [on] every day.”

There are some positive results in the survey. Despite lagging in implementation, 65% of respondents said their organizations are committed to protecting confidential or sensitive information in the cloud. And there’s improvement: In 2014, 60% of respondents felt it was more difficult to protect confidential or sensitive information when using cloud services. This year, just 54% said the same. Similarly, confidence in knowing all cloud computing services in use is increasing: 54% of respondents are confident that the IT organizations know all cloud computing applications, platform or infrastructure services in use—a 9% increase from 2014.

ISF Releases Major Update for Security Standard Practice Guidelines

The Information Security Forum (ISF) has published a major update to its Standard of Good Practice for IT security professionals.

The Standard enables organizations to meet the control objectives set out in the NIST Cybersecurity Framework and extends well beyond the topics defined in the framework to include coverage of essential and emerging topics such as information security governance, supply chain management (SCM), data privacy, cloud security, information security audit and mobile device security.

The 2016 version of The Standard has been restructured into 17 main categories for ease of use and improved alignment with ISF member approaches to managing information security. Its design also offers systematic coverage of four new or enhanced lifecycles:

System development lifecycle – mainly focused on the design and development of critical business applications, but applicable to all types of system development (e.g., for IT infrastructure)

“The increasing pace of change, shifting global threat levels, growing reliance on the supply chain and greater demand for efficacy from stakeholders represent some of the numerous challenges organizations are facing today,” said Steve Durbin, managing director, ISF. “The Standard is used widely across the ISF membership which consists of many of the leading Fortune and Forbes global companies. It provides extensive coverage of information security topics including those associated with security strategy, incident management, business continuity, resilience and crisis management. These topics present practical advice that enables organizations to improve their resilience against a wide-ranging array of threats and low probability, high-impact events that can threaten the success, and sometimes even the existence, of the organization.”

The guidance takes into account new legislation such as EU General Data Protection Regulation (GDPR), which will take effect in May 2018, impacting every organization that holds personal information on EU citizens, as well as the EU Network and Information Security (NIS) directive, which aims to protect critical infrastructure and sets common cybersecurity standards and reporting requirements for applicable organizations. Effective implementation depends on strong information risk assessment, so that controls described in The Standard are applied in line with risk, Durbin added.

“The best practices defined in The Standard will normally be incorporated into an organization’s information security policy, business processes, environments and applications, and should be of great interest and relevance to a range of individuals within the organization as well as external stakeholders,” he said.